Are You In A Decision Trap? You Decide.

Renee Murphy

Before joining Forrester, I ran my own consulting firm. No matter how ridiculous the problem or how complicated the solution, when a client would ask if I could help, I would say yes. Some people might say I was helpful, but I was in an overconfidence trap. There was always this voice in the back of my mind that would say, “How hard could it be?” Think of the havoc that kind of trap can have on a risk management program. If any part of the risk program is qualitative, and you are an overconfident person, your risk assessments will be skewed. If you are in an overconfidence trap, force yourself to estimate the extremes and imagine the scenarios where those extremes can happen. This will help you understand when you are being overconfident and allow you to find the happy medium.

Have you ever padded the budget of a project “just to be safe”? I hate to tell you this, but you are in the prudence trap.  By padding the project budget, you are anticipating an unknown. Many other managers in your company may be using the same “strategy.” But the next time you do a project like this, you will pad the budget again, because the inherent uncertainty is still there. The easiest way to keep your risk management program out of the prudence trap is to never adjust your risk assessments to be “on the safe side,”  There is nothing safe about using a psychological trap to predict risk.

Read more

Skinning The Innovation Cat

Tyler Shields
There are many ways to skin a cat. The same can be said of innovation. When I mention innovation in conversation, people generally think about a process of making a product bigger, faster, better, or stronger. However, product improvement is just one type of innovation. Innovation can target the process around creating a product, resulting in lower costs such as the "lean manufacturing" innovations from the automobile company Toyota. Innovation can target improvements in the design of marketing materials, creating a more emotionally appealing advertising campaign and resulting in higher revenue. Marketing innovation has been used by numerous firms over the years to reinvigorate their concepts and company. Samsung designed their Bordeaux television line after being inspired by a wine glass. They have been on the top of the television market ever since. Innovation can even mean cultural innovation in which the culture of the company changes and innovates to come in line with a newly updated corporate vision increasing employee loyalty, retention, and overall happiness. Innovation has many faces.
 
Read more

Allow Me To Introduce Myself...

Renee Murphy

Allow me to introduce myself. I am Renee Murphy, and I am new Sr. Analyst here at Forrester Research. Prior to joining Forrester, I was both an internal and external auditor. My experience includes network and data center engineering and management, operations process development and implementation and creating auditable technology environments in many different industries with diverse client needs. 

I often say that trust is not a control, luck is not a strategy, and if you can’t have fun in Albuquerque, you aren’t a fun person. (That last one isn't really useful unless you are in Albuquerque and having a bad time.)  I joined Forrester to use my audit powers for good and not evil, and I plan to assist you with your audit issues, control frameworks, regulatory requirements, risk management, and security, building stronger relationships between you and your auditors.

With my extensive regulatory knowledge and technical process expertise, my goal is to give Forrester clients a unique view of your regulatory and best practice programs to ensure that you take advantage of the efficiencies that strong audit and control frameworks can provide. I will also help you navigate the security and risk ramifications of existing and upcoming regulatory requirements. 

I am proud and very excited to be part of the Forrester family and I look forward to working closely with our clients to help them achieve their GRC goals.

What does the smartwatch mean for IAM? Safer, more versatile authentication, easier mobile payments and less fraud

Andras Cser

Today we saw the announcement of the Samsung smartwatch, Galaxy Gear. 

I am certain that this new smartwatch form factor will fill a niche: augmenting the input and output of a (Samsung, initially) mobile phone and device then with further miniaturization, take over more and more of the functionality of the smartphone.

Beyond the cool factor, there are immense and also immediate security benefits to be gained from a smartwatch:

  • You can use the smartwatch as an "invisible" token. If the watch is on your wrist, an application  running on the smartphone, mobile device or even a PC will sense the proximity of the smartwatch and thus authenticate and let you in. Without the smartwatch being nearby, you won't be able to (easily) log into the mobile application. This is very similar to Entrust's mobile phone token paired on Bluetooth with a PC, except now the smartphone is the PC and the token is the smartwatch. Further, it's a lot harder to steal your watch than it is to steal your mobile phone. The watch can also use motion, gait, etc. as extra factors for authentication beyond just "being there." Putting a fingerprint reader on a smartwatch may also be an easy way to authenticate users.
  • Voiceprint authentication to the watch and through the watch. This is where voice control and voiceprint authentication will come of age. Since the smartwatch lacks any other usable input interface other than voice control, using your voiceprint to authenticate to the 1) smartwatch  and its applications and 2) through the smartwatch to the smartphone or mobile device will be the easiest option. We expect that the above use case will give a whole new boost to the voiceprint biometrics market.
Read more

2013Q3 IAM Suites Wave is out today

Andras Cser
 In Forrester's 16-criteria evaluation of comprehensive identity and access management (IAM) suites, we identified the nine most significant vendors in the category — Aveksa, CA Technologies, Courion, Dell, IBM, NetIQ, Oracle, Ping Identity, and SecureAuth — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their enterprise, business-to-business, and consumer-facing IAM deployments. Get the document at http://www.forrester.com/The+Forrester+Wave+Identity+And+Access+Management+Suites+Q3+2013/fulltext/-/E-RES99281

Rise of the 2nd Mobile App War

Tyler Shields

Starting with the inception of the iPhone in 2007, and the invention of the app store in 2008AppleGoogleBlackBerryMicrosoft, and a slew of third-party mobile app stores have waged a battle for developers and for app downloads. The winner of the "App War" would go on to win the consumer vote and eventually make a truckload of money both in pure revenue and in an increase in value of their company stock.

All of the fighting has resulted in multiple casualties. BlackBerry couldn't keep up the pace and was eventually chopped off at the knees. Microsoft has yet to gain enough developer volume to be a real threat and will eventually reinvent itself as a new company under new leadership. Third-party app stores are distributed and nimble but really amount to nothing more than splinter groups using guerrilla tactics against the major nation states. They just can't compete in the long term.

In the United States, Google Play and Apple iTunes have become the two superpowers in the mobile app war. With exceptional mobile application uptake, these two players have come to dominate the consumer mobile space. Phones don't sell phones. . .applications sell phones, and these two players have won.

Read more

Point Solutions Must Die

Rick Holland

Last year I wrote a blog post titled, “Incident Response Isn’t About Point Solutions; It Is About An Ecosystem."  This concept naturally extends beyond incident response to broader enterprise defense.  An ecosystem approach provides us an alternative to the cobbling together of the Frankenstein’esque security infrastructure that is so ubiquitous today. 

Many of us in the information security space have a proud legacy of only purchasing best in breed point solutions. In my early days as an information security practitioner, I only wanted to deploy these types of standalone solutions. One of the problems with this approach is that it results in a bloated security portfolio with little integration between security controls. This bloat adds unneeded friction to the infosec team’s operational responsibilities.  We talk about adding friction to make the attacker’s job more difficult, what about this self-imposed friction?  S&R pros jobs are hard enough. I’m not suggesting that you eliminate best in breed solutions from consideration, I’m suggesting that any “point solution” that functions in isolation and adds unneeded operational friction shouldn’t be considered. 

Read more

Mobile Application Security Maturity - Leveling Up.

Tyler Shields

Enterprises are struggling to understand the risk and privacy impacts of the mobile applications in use in their environment. As the consumerization of mobile continues to shove BYOD into the enterprise, the number of applications in use is growing exponentially. Organizations must get a better handle on just how much risk is accumulating from the proliferation of mobile apps on their user’s devices.

I'm currently researching a concept designed to help an enterprise know where they are on the mobile application security maturity curve. Understanding where one currently resides is the quickest method to determine the path required to improving your standing in the future.

Does your organization allow BYOD?
Do you inventory all of the mobile applications in use in your environment?
Do you execute security and privacy analysis on mobile applications in an organized fashion?
How do you define and enforce policies around mobile application security?

I’ve created a survey to determine current baseline enterprise mobile application maturity levels. If you are involved in the mobile management and security decisions of your enterprise now is your time to help. Please go to the survey link below and fill out the form. I will summarize some of the findings in a future blog post.

Startups That Were At BlackHat 2013

Heidi Shey

What happens in Vegas shouldn’t stay in Vegas. I was out at BlackHat with other members of the Forrester team over a week ago (seems like yesterday!). It was two jam packed days of popping into briefings, guzzling copious amounts of green tea, and meeting new people and learning new things. In general, I like to keep an eye and ear out for startups to see what’s bubbling up, and came across a few at BlackHat:

  • Co3 Systems. Co3 Systems* help to automate the four pillars of incident response (prepare, assess, manage, and report) and break down responsibilities and response to ensure best practices are followed along with compliance with regulatory requirements. They just updated their security module to include threat intelligence feeds from  iSIGHT PartnersAlienVault, Abuse.ch and SANS, and recently rolled out an EU data privacy and breach notification update to the product. I’m a numbers nerd, so when they let me play with the solution, I immediately started running simulations that estimated the cost of a breach.
  • FileTrek. FileTrek provides visibility and transparency into where data resides, how it’s being accessed, moved, used, changed, and shared between people, devices, and files. No, it’s not DLP. It’s more like the mother of all audit trails that takes context and sequence of events into account. That way, if someone who is supposed to have access to data starts to do things with it beyond what they normally do, FileTrek will flag it as suspicious activity.
Read more

Five Common Legal & Regulatory Challenges With Social Media

Nick Hayes

It should come as no surprise that regulators and organizations alike struggle to set and enforce guidelines for social media activity. It’s not just that the rise of social media is rapidly transforming the way we interact with people, customers, and brands; but also how many ways this transformation is happening.

The core issue is that social media alters the way we as individuals share who we are, merging our roles as people, professionals, and consumers.  As we share more of ourselves on a growing number of social networks, questions quickly surface:

  • How frequently and on what social networks should we post?
  • When should we present ourselves in our professional role versus sharing our personal opinions?
  • Is it okay to be social media friends with co-workers, clients, or your boss?

These are complicated matters for individuals, and absolute conundrums for organizations concerned with how employees behave and interact with others in, and outside of, the workplace. Their questions are even more complicated:

  • Can organizations dictate how their employees use social media?
  • Can they monitor social media conversations or use it to learn more about prospective job applicants?
  • When does the personal connection allowed by social media tools cross the line from business to personal?
Read more